Reserve data-mw and data-parsoid attribute prefix for trusted values

Don't let users set attributes starting with data-mw or data-parsoid. The main idea is to allow MediaWiki to use data-mw-<something> attributes for trusted input to client side scripts. There have been a couple security vulnerabilities in the past based on users being able to manipulate a data attribute, which client side was assuming was trusted. Also include data-mw and data-parsoid as both are used by Parsoid currently. See https://lists.wikimedia.org/pipermail/wikitech-l/2015-November/083811.html A corresponding change will also have to be made in Parsoid. Change-Id: I06585380bde3bc57b17ad76740c5acc2056d7c44
2015-11-12 23:24:52 -05:00 · 2015-11-12 23:24:52 -05:00 · b62f0e9156
commit b62f0e9156
parent e1ebc2de02
2 changed files with 18 additions and 1 deletions
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@ -750,7 +750,15 @@ class Sanitizer {
 			}

 			# Allow any attribute beginning with "data-"
-			if ( !preg_match( '/^data-(?!ooui)/i', $attribute ) && !isset( $whitelist[$attribute] ) ) {
+			# However:
+			# * data-ooui is reserved for ooui
+			# * data-mw and data-parsoid are reserved for parsoid
+			# * data-mw-<ext name here> is reserved for extensions (or core) if
+			#   they need to communicate some data to the client and want to be
+			#   sure that it isn't coming from an untrusted user.
+			if ( !preg_match( '/^data-(?!ooui|mw|parsoid)/i', $attribute )
+				&& !isset( $whitelist[$attribute] )
+			) {
 				continue;
 			}

--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@ -26339,3 +26339,12 @@ Empty LI (T49673)
 <li>b</li>
 </ul>
 !! end
+
+!! test
+reserved data attributes stripped
+!! wikitext
+<div data-mw="foo" data-parsoid="bar" data-mw-someext="baz" data-ok="fred" data-ooui="xyzzy">d</div>
+!! html
+<div data-ok="fred">d</div>
+
+!! end